storage

package
v0.88.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 4, 2023 License: MIT Imports: 6 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var CheckAllowMicrosoftServiceBypass = rules.Register(
	scan.Rule{
		AVDID:      "AVD-AZU-0010",
		Provider:   providers.AzureProvider,
		Service:    "storage",
		ShortCode:  "allow-microsoft-service-bypass",
		Summary:    "Trusted Microsoft Services should have bypass access to Storage accounts",
		Impact:     "Trusted Microsoft Services won't be able to access storage account unless rules set to allow",
		Resolution: "Allow Trusted Microsoft Services to bypass",
		Explanation: `Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. 

To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules`,
		Links: []string{
			"https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security#trusted-microsoft-services",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformAllowMicrosoftServiceBypassGoodExamples,
			BadExamples:         terraformAllowMicrosoftServiceBypassBadExamples,
			Links:               terraformAllowMicrosoftServiceBypassLinks,
			RemediationMarkdown: terraformAllowMicrosoftServiceBypassRemediationMarkdown,
		},
		Severity: severity.High,
	},
	func(s *state.State) (results scan.Results) {
		for _, account := range s.Azure.Storage.Accounts {
			for _, rule := range account.NetworkRules {
				var found bool
				for _, bypass := range rule.Bypass {
					if bypass.EqualTo("AzureServices") {
						found = true
					}
				}
				if !found {
					results.Add(
						"Network rules do not allow bypass for Microsoft Services.",
						&rule,
					)
				} else {
					results.AddPassed(&rule)
				}

			}
		}
		return
	},
)
View Source
var CheckDefaultActionDeny = rules.Register(
	scan.Rule{
		AVDID:      "AVD-AZU-0012",
		Provider:   providers.AzureProvider,
		Service:    "storage",
		ShortCode:  "default-action-deny",
		Summary:    "The default action on Storage account network rules should be set to deny",
		Impact:     "Network rules that allow could cause data to be exposed publicly",
		Resolution: "Set network rules to deny",
		Explanation: `The default_action for network rules should come into effect when no other rules are matched.

The default action should be set to Deny.`,
		Links: []string{
			"https://docs.microsoft.com/en-us/azure/firewall/rule-processing",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformDefaultActionDenyGoodExamples,
			BadExamples:         terraformDefaultActionDenyBadExamples,
			Links:               terraformDefaultActionDenyLinks,
			RemediationMarkdown: terraformDefaultActionDenyRemediationMarkdown,
		},
		Severity: severity.Critical,
	},
	func(s *state.State) (results scan.Results) {
		for _, account := range s.Azure.Storage.Accounts {
			for _, rule := range account.NetworkRules {
				if rule.AllowByDefault.IsTrue() {
					results.Add(
						"Network rules allow access by default.",
						rule.AllowByDefault,
					)
				} else {
					results.AddPassed(&rule)
				}
			}
		}
		return
	},
)
View Source
var CheckEnforceHttps = rules.Register(
	scan.Rule{
		AVDID:      "AVD-AZU-0008",
		Provider:   providers.AzureProvider,
		Service:    "storage",
		ShortCode:  "enforce-https",
		Summary:    "Storage accounts should be configured to only accept transfers that are over secure connections",
		Impact:     "Insecure transfer of data into secure accounts could be read if intercepted",
		Resolution: "Only allow secure connection for transferring data into storage accounts",
		Explanation: `You can configure your storage account to accept requests from secure connections only by setting the Secure transfer required property for the storage account. 

When you require secure transfer, any requests originating from an insecure connection are rejected. 

Microsoft recommends that you always require secure transfer for all of your storage accounts.`,
		Links: []string{
			"https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformEnforceHttpsGoodExamples,
			BadExamples:         terraformEnforceHttpsBadExamples,
			Links:               terraformEnforceHttpsLinks,
			RemediationMarkdown: terraformEnforceHttpsRemediationMarkdown,
		},
		Severity: severity.High,
	},
	func(s *state.State) (results scan.Results) {
		for _, account := range s.Azure.Storage.Accounts {
			if account.Metadata.IsUnmanaged() {
				continue
			}
			if account.EnforceHTTPS.IsFalse() {
				results.Add(
					"Account does not enforce HTTPS.",
					account.EnforceHTTPS,
				)
			} else {
				results.AddPassed(&account)
			}
		}
		return
	},
)
View Source
var CheckNoPublicAccess = rules.Register(
	scan.Rule{
		AVDID:      "AVD-AZU-0007",
		Provider:   providers.AzureProvider,
		Service:    "storage",
		ShortCode:  "no-public-access",
		Summary:    "Storage containers in blob storage mode should not have public access",
		Impact:     "Data in the storage container could be exposed publicly",
		Resolution: "Disable public access to storage containers",
		Explanation: `Storage container public access should be off. It can be configured for blobs only, containers and blobs or off entirely. The default is off, with no public access.

Explicitly overriding publicAccess to anything other than off should be avoided.`,
		Links: []string{
			"https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#set-the-public-access-level-for-a-container",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformNoPublicAccessGoodExamples,
			BadExamples:         terraformNoPublicAccessBadExamples,
			Links:               terraformNoPublicAccessLinks,
			RemediationMarkdown: terraformNoPublicAccessRemediationMarkdown,
		},
		Severity: severity.High,
	},
	func(s *state.State) (results scan.Results) {
		for _, account := range s.Azure.Storage.Accounts {
			for _, container := range account.Containers {
				if container.PublicAccess.NotEqualTo(storage.PublicAccessOff) {
					results.Add(
						"Container allows public access.",
						container.PublicAccess,
					)
				} else {
					results.AddPassed(&container)
				}
			}
		}
		return
	},
)
View Source
var CheckQueueServicesLoggingEnabled = rules.Register(
	scan.Rule{
		AVDID:      "AVD-AZU-0009",
		Provider:   providers.AzureProvider,
		Service:    "storage",
		ShortCode:  "queue-services-logging-enabled",
		Summary:    "When using Queue Services for a storage account, logging should be enabled.",
		Impact:     "Logging provides valuable information about access and usage",
		Resolution: "Enable logging for Queue Services",
		Explanation: `Storage Analytics logs detailed information about successful and failed requests to a storage service. 

This information can be used to monitor individual requests and to diagnose issues with a storage service. 

Requests are logged on a best-effort basis.`,
		Links: []string{
			"https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging?tabs=dotnet",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformQueueServicesLoggingEnabledGoodExamples,
			BadExamples:         terraformQueueServicesLoggingEnabledBadExamples,
			Links:               terraformQueueServicesLoggingEnabledLinks,
			RemediationMarkdown: terraformQueueServicesLoggingEnabledRemediationMarkdown,
		},
		Severity: severity.Medium,
	},
	func(s *state.State) (results scan.Results) {
		for _, account := range s.Azure.Storage.Accounts {
			if account.Metadata.IsUnmanaged() || len(account.Queues) == 0 {
				continue
			}
			if account.QueueProperties.EnableLogging.IsFalse() {
				results.Add(
					"Queue services storage account does not have logging enabled.",
					account.QueueProperties.EnableLogging,
				)
			} else {
				results.AddPassed(&account)
			}
		}
		return
	},
)
View Source
var CheckUseSecureTlsPolicy = rules.Register(
	scan.Rule{
		AVDID:      "AVD-AZU-0011",
		Provider:   providers.AzureProvider,
		Service:    "storage",
		ShortCode:  "use-secure-tls-policy",
		Summary:    "The minimum TLS version for Storage Accounts should be TLS1_2",
		Impact:     "The TLS version being outdated and has known vulnerabilities",
		Resolution: "Use a more recent TLS/SSL policy for the load balancer",
		Explanation: `Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. 

Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility.

This check will warn if the minimum TLS is not set to TLS1_2.`,
		Links: []string{
			"https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformUseSecureTlsPolicyGoodExamples,
			BadExamples:         terraformUseSecureTlsPolicyBadExamples,
			Links:               terraformUseSecureTlsPolicyLinks,
			RemediationMarkdown: terraformUseSecureTlsPolicyRemediationMarkdown,
		},
		Severity: severity.Critical,
	},
	func(s *state.State) (results scan.Results) {
		for _, account := range s.Azure.Storage.Accounts {
			if account.Metadata.IsUnmanaged() {
				continue
			}
			if account.MinimumTLSVersion.NotEqualTo("TLS1_2") {
				results.Add(
					"Storage account uses an insecure TLS version.",
					account.MinimumTLSVersion,
				)
			} else {
				results.AddPassed(&account)
			}
		}
		return
	},
)

Functions

This section is empty.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL